Secret Blizzard’s Advanced Cyber Espionage Campaign Targeting Moscow Embassies

Diplomatic missions working in Moscow now face a newly exposed, advanced cyber threat: Secret Blizzard’s adversary-in-the-middle (AiTM) campaign, designed to penetrate even the most security-conscious organizations. According to detailed analysis from Microsoft Threat Intelligence, this Russian state-backed group, also tracked as Turla, VENOMOUS BEAR, or Snake, has been systematically targeting embassies by leveraging both sophisticated malware—ApolloShadow—and privileged access to Russian internet infrastructure. The implications reach far beyond confidential memos or embassy back-channels; Secret Blizzard’s campaign provides a chilling demonstration of how lawful intercept technology, compromised network infrastructure, and cleverly engineered malware can turn every online interaction into an intelligence goldmine.

Unmasking the Attack: A Rare Look Into Secret Blizzard’s Operations​

Secret Blizzard is attributed by U.S. agencies, such as CISA, to the Russian Federal Security Service (FSB, Center 16). This group has a long history of high-profile espionage activity, often targeting governments, NGOs, and essential infrastructure across Europe and beyond. However, Microsoft’s new findings reveal a dangerous evolution: for the first time, analysts can confirm Secret Blizzard is operating at the ISP level within Russia, specifically to compromise foreign diplomatic missions.
While researchers have long suspected that Russia’s System for Operative Investigative Activities (SORM)—the country’s legislative wiretapping framework—plays a role in supporting domestic surveillance, this campaign offers concrete examples of cyberespionage enabled through such legal intercept systems. By installing covert root certificates, deploying custom malware (ApolloShadow), and exploiting captive portals, Secret Blizzard stands poised to harvest sensitive credentials, surveil internet activity, and gain persistent administrative access on embassy devices.

Anatomy of the Attack: From Captive Portal to Persistent Backdoor​

1. Stage One: Initial Access Through Captive Portals​

The attack’s starting point is uniquely adapted to the realities of doing business in Russia. When a targeted user connects to a local ISP—possibly at an embassy compound or hotel—a Secret Blizzard-controlled adversary-in-the-middle position waits upstream. Here’s how it unfolds:

• Captive Portal Hijacking: Instead of normal web traffic, targets are redirected to a familiar, but malicious, captive portal. This imitates what’s often experienced at public Wi-Fi access points, lowering suspicion.
• Leveraging Windows Connectivity Checks: As Windows devices check for internet access, they trigger a connection to hxxp://www.msftconnecttest[.]com/redirect. Secret Blizzard manipulates this check, redirecting the victim to an attacker-controlled domain and presenting a crafted certificate error.

2. Stage Two: Delivery and Installation of ApolloShadow​

Taking advantage of the fake error, the attacker prompts the target to download and install “CertificateDB.exe,” disguised as a legitimate Kaspersky Antivirus installer. Unwittingly, the user installs ApolloShadow—a multi-stage malware package with extensive capabilities.

• Installation of Malicious Certificates: The malware installs custom root certificates, tricking the operating system into trusting attacker-controlled sites. This effectively allows for widespread SSL/TLS interception and browser traffic decryption.
• Elevation of Privileges: ApolloShadow checks user privileges and, if necessary, uses social engineering and Windows UAC pop-ups to escalate rights.
• Persistence Mechanisms: Notably, ApolloShadow creates a hidden administrative account (“UpdatusUser”) with a hardcoded password that never expires.

3. Stage Three: Network and Host Manipulation​

Once established, ApolloShadow operates across privilege levels:

• Network Information Gathering: The malware collects local IP data and encodes it for exfiltration, using what appear to be legitimate requests to trusted domains. Through DNS manipulation, Secret Blizzard reroutes these checks back to its own infrastructure.
• Firewall and Network Discovery Manipulation: With high privileges, it changes network profiles via registry edits and COM-based firewall rule adjustments, facilitating both lateral movement and data exfiltration—all while striving to remain undetected.
• Certificate Trust Expansion: The attack even targets Firefox, which maintains a separate certificate store from Windows. ApolloShadow writes new preferences to force Firefox to trust the malicious root certificates.

4. Command, Control, and Data Exfiltration​

Data is exfiltrated by leveraging AiTM positions to redirect otherwise normal traffic to attacker servers, often using base64-encoded strings in URLs and cleverly obfuscated VBScripts for further payloads.

Assessing the Technical Sophistication​

The campaign demonstrates an advanced understanding of modern Windows systems and Russian internet infrastructure:

• ISP-Level AiTM: By operating at the telecommunications layer (including leveraging SORM), Secret Blizzard can invisibly manipulate and intercept all internet-bound traffic at will for specific targets—a privilege only available to well-resourced state actors.
• Custom Malware Engineering: ApolloShadow shows signs of sophisticated modular design, with dedicated routines for host discovery, privilege escalation, certificate manipulation, and persistence.
• Blending In: Use of official Kaspersky branding for malware lures and leveraging the Windows connectivity process reduces suspicion and increases the likelihood of user compliance.

These technical innovations, paired with the ability to manipulate Russia’s own internet backbone, make Secret Blizzard’s approach exceptionally difficult to counter with traditional network security tools.

Risks and Implications for Diplomatic Missions​

1. Compromised Confidentiality​

Once ApolloShadow is installed, even otherwise encrypted communications (including confidential documents, emails, and credentials) can be transparently decrypted and harvested by the attacker. Because the malware is installed with root privileges, it bypasses nearly all endpoint protection mechanisms.

2. Increased Surveillance Surface​

Operating within Russian borders, foreign embassies are at a severe disadvantage. Any traffic not routed through a separate, trusted network is vulnerable. Standard best practices, such as keeping systems patched and deploying endpoint protection, may not be effective against ISP-level attacks or covert certificate manipulation.

3. Potential Lateral Movement and Network Spread​

By altering network discovery and firewall configurations, ApolloShadow could facilitate rapid lateral movement should the attacker pursue broader network compromise, even though no direct lateral movement was observed in this campaign.

4. Long-Term Persistence​

With the creation of a hardcoded local admin account and root certificate trust, even reimaging the endpoint may not fully remove the attacker’s foothold if the underlying network remains compromised and users re-enter credentials or re-install certificates under social engineering pressure.

Defensive Recommendations: Mitigating Secret Blizzard’s Threat​

Universal Principles​

While this campaign’s primary targets are diplomatic and governmental, the lessons apply broadly to any entity operating in a hostile or surveilled environment:

• Force All Traffic Through Trusted, Encrypted Tunnels: Use strongly encrypted VPNs or satellite-based connections. Critically, the VPN provider must operate entirely outside the influence of local actors—the use of internationally managed satellite services is now recommended by Microsoft for embassy operations in Russia.
• Monitor for Certificate Store Changes: Watch for unexpected modifications to root and authority stores, especially installations masquerading as trusted vendors (e.g., Kaspersky or others).
• Strict UAC and Multi-Factor Authentication: Do not allow users to install software or certificates without rigorous change controls and multi-person approvals.
• Endpoint Monitoring and Incident Response Readiness: Configure endpoint security to alert on unexpected administrative user creation, suspicious invocation of certutil.exe, and anomalous changes in network profiles.
• Isolate Critical Systems: Treat every device as potentially compromised; segment networks to limit lateral movement.

Specific Detection and Hunting Guidance​

Organizations with access to Microsoft Defender XDR or Sentinel can leverage the following:

• Microsoft Defender for Endpoint Alerts: Focus on suspicious root certificate installations, unusual certutil activity, and unauthorized user account creation.
• Hunting Queries: Use advanced hunting to identify devices that download files shortly after captive portal redirection.
• Threat Intelligence Integration: Proactively block identified IoCs, including kav-certificates[.]info and associated file hashes (e.g., SHA256: 13fafb1ae2d5de024e68f2e2fc820bc79ef0690c40dbfd70246bcc394c52ea20).

Addressing Firefox Vulnerabilities​

Since ApolloShadow specifically forces Firefox to trust added root certificates, administrators should:

• Review Firefox Preferences: Regularly check for unauthorized modifications of wincert.js and the security.enterprise_roots.enabled flag.
• Automate Preference Audits: Implement scripts or tools that alert whenever new trust relationships are established outside of standard enterprise policy.

Broader Security Community Response​

Other leading cybersecurity vendors, such as ESET and Kaspersky, have reported similar AiTM tactics by Russian-state actors in recent years. The overlapping threat group nomenclature—VENOMOUS BEAR, Snake, Turla—attests to the persistent, multi-generational development tracks of these organizations. Recent ESET reporting highlights nearly identical techniques targeting ministries across Eastern Europe, reinforcing Microsoft’s assessment that these tools are being widely (and repeatedly) repurposed for intelligence objectives.

Plausibility and the Limits of Attribution​

While Microsoft’s attributions are supported by CISA and other authorities, definitive technical attribution in cyberspace remains contentious. Some offensive techniques—like certificate injection or the use of fake captive portals—are within reach of both highly skilled criminals and states. However, the necessary combination of privileged network access and alignment with state interests makes the case for FSB involvement strong.
Nonetheless, readers are advised to approach all such attribution claims with a measure of critical skepticism—especially given the geopolitical stakes. Only nation-states with legislative interception capabilities and access to ISP or backbone infrastructure are thought capable of orchestrating AiTM attacks at this level and scale.

The Evolution of State-Sponsored Espionage​

The Secret Blizzard campaign is a stark indicator of the ways in which state-sponsored espionage is rapidly outpacing conventional security models. Where once the endpoint, local network, and firewall sufficed, organizations must now design security approaches predicated on the assumption that every layer of the network stack—from the fiber to the root CA—might be hostile.
This evolving threat landscape underscores several long-term trends:

• Deep Packet and TLS/SSL Interception at National Scale: States can now exploit both “lawful intercept” frameworks and malware to break privacy assumptions even for encrypted traffic.
• Supply Chain and Third-Party Risk: The use of trusted-brand lures (such as Kaspersky or Flash installers) erodes user trust and increases the difficulty of social engineering detection.
• Operational Tradeoffs for Diplomats: Embassies must balance their ability to operate locally against the persistent, demonstrated risk of deep surveillance and compromise.

Conclusion: A Caution for All—Not Just Diplomats in Moscow​

Although Microsoft’s analysis spotlights threats facing missions in Russia, the core attack techniques—AiTM-injected captive portals, certificate-based SSL/TLS interception, rootkit-style persistence—are portable to any hostile network environment. The lessons are clear:

• Assume persistent compromise in untrusted environments.
• Route all sensitive communications through dedicated, externalized infrastructure.
• Scrutinize user prompts—especially related to certificates, “connectivity repairs,” or security updates.
• Prepare for the inevitable: security postures must be robust enough to survive endpoint compromise.

As highly resourced adversaries continue to innovate—blending lawful intercept with custom malware and clever phishing—organizations worldwide must up their defenses, combining technical controls, vigilant user education, and trusted communication channels if they hope to stay even a step ahead in this new era of cyberespionage.
For the latest research, indicators, and in-depth technical explorations, Microsoft Threat Intelligence and independent threat intelligence vendors remain crucial sources for defenders and policymakers alike. This campaign’s revelations should prompt every international organization, not just embassies in Moscow, to revisit their security assumptions and toolsets in light of rapidly advancing—and undeniably real—state-level cyber threats.

---

Source: Microsoft Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog